DocuSign SSOv2 - Identity Provider Settings

Issue

A DocuSign account has an inaccurate or missing Identity Provider setup in their SSO configuration.

User-added image  
Possible Causes

Occasionally, during troubleshooting, an organizational administrator of a DocuSign account may delete the Identity Provider information or the company may have switched which Identity Provider they use and need to update their settings. This article was created to help provide guiding steps to recreate the IdP data in DocuSign for common Identity Providers.

Solutions

Note: DocuSign Support is not responsible for knowing your IdP information, where to locate this information within the IdP, or the exact configuration of settings required by the IdP. The organization administrator of the account should be aware of these requirements.

Various Identity Providers (IdPs) will have different requirements when setting up their information in DocuSign. Below are the most common set-up configurations required within the DocuSign Identity Provider Settings page. Please, keep in mind that the below data is provided by your IdP and is not something that can be provided by a DocuSign Support representative. We understand that some administrators may not know where to find this information. This article is meant to be a point of reference to provide general guidance and expectations of what information is needed.

The options that can be edited on this Identity Provider Settings page are:
  • Name (Required) - This should be a unique name (minus spaces) to help identify the Identity Provider being used.
  • Identity Provider Issuer (Required) - A unique URL identifier specific to your Identity Provider's instance.
  • Identity Provider Login URL (Required) - This is the redirect URL to initiate the handshake for authentication for logging in via SSO.
  • Identity Provider Logout URL - Similar to the login URL this is used in cases where a logout request is also processed which can be handled via a specific URL.
  • Identity Provider Metadata URL - This is a URL that identifies the formatting of the SAML request generated by the IdP
  • Sign AuthN request - Select only if your IdP requires signed SAML requests
  • Sign logout request - Select only if your IdP requires signed SAML requests
  • Send AuthN request by: GET or POST - Select according to IdP expectations
  • Send logout request by: GET or POST - Select according to IdP expectations
  • Custom Attribute Mapping - DocuSign expects certain attributes to be sent in the SAML request. Naming conventions for these may differ from provider to provider. This feature allows one to map one attribute to a name that DocuSign expects. Example: An IdP calls the attribute FirstName but DocuSign expects the term GivenName; we would map FirstName to GivenName to prevent problems.
  • Identity Provider Certificates (Required) - This is a hashed thumbprint proving that the SAML request coming from the IdP is authentic. The customer uploads this into DocuSign so that no one else can submit SAML requests to authenticate.
ADFS (Active Directory Federation Services)
ADFS will usually use the following information for authentication:
  • Identity Provider Issuer (Required) - http://{adfs hostname}/adfs/services/trust
  • Identity Provider Login URL (Required) - https://{adfs hostname}/adfs/ls/
  • Identity Provider Metadata URL - https://{adfs hostname}/FederationMetadata/2007-06/FederationMetadata.xml
  • Sign AuthN request - This item should be checked.
  • Send AuthN request by - This should be set to POST.
  • Identity Provider Certificates (Required) - These can typically be located at ADFS Management > Certificates > Token-Signing cert within Active Directory.
AzureAD (Azure Active Directory)
AzureAD expires their certificates for SAML/SSO every 90 days. This means that needing to review the IdP settings and needing to upload a new certificate will be a frequent occurrence. Azure also has provided a guide specifically for adding SSO for DocuSign. DocuSign is currently investigating a way to use the smart certificate rollover available via AzureAD but as of now, the feature is not supported. Below is a recap of the settings needed from Azure to be entered into the Identity Provider Settings page in DocuSign:
  • Identity Provider Issuer (Required) - In the Azure classic portal, copy the Issuer URL for this field
  • Identity Provider Login URL (Required) - In the Azure classic portal, copy the Remote Login URL for this field.
  • Identity Provider Logout URL - In the Azure classic portal, copy the Remote Logout URL for this field.
  • Sign AuthN request - Select this option.
  • Send AuthN request by - This should be set to POST.
  • Send logout request by - This should be set to POST.
Okta
When configuring, log in to the Okta Admin panel and navigate to Applications > DocuSign > Sign On > SAML 2.0 > View Setup Instructions. This will generate a guide that contains the relevant environment specific variables.
  • Identity Provider Issuer (Required) - An alphanumeric string unique to your instance
  • Identity Provider Login URL (Required) - https://{okta login base URL}/app/docusign/{issuer}/sso/saml
  • Identity Provider Logout URL - Your base URL for accessing Okta


G Suite

If G Suite is your DNS registrar, your domain validation token can be added to a TXT record in the G Suite Admin console (https://admin.google.com), under ‘Domains’-->‘Advanced DNS Settings’. Once your domain is claimed, the following steps show how to configure G Suite as your DocuSign Identity Provider.
  1. (In G Suite Admin) Under Apps-->SAML Apps, Add a new SAML App. There should be a preconfigured ‘DocuSign’ option.
  2. (In G Suite Admin) Copy the SSO URL and Entity ID, and download the domain certificate.
  3. (In DocuSign Admin) Under Identity Providers-->Add Identity Provider, create a new IDP with the following data.
  • Name: Your G Suite Domain (i.e. docusign-demo.com)
  • Identity Provider Issuer: ‘SSO URL’ from G Suite (see above)
  • Identity Provider Login URL: ‘Entity ID’
  • Add Certificate: Upload the certificate downloaded from Google IDP.
  • Save it!
  1. (In G Suite Admin) In Apps-->SAML Apps-->DocuSign-->Service Provider Details, enter the following details from your DocuSign Admin ‘endpoints’ listing (Identity Providers-->Actions-->Endpoints)
  • Application Name: DocuSign
  • Description: The only eSignature solution recommended by Google
  • ACS URL: [The value in ‘Service Provider Assertion Consumer Service URL’]
  • Entity ID: [The value in ‘Service Provider Issuer URL’]
  • Start URL: [The value in ‘Service Provider Login URL’]
  • Name ID: Basic Information : Primary Email
  • Name ID Format: EMAIL
  • Attribute Mapping:
    • name: Basic Information: First Name
    • emailaddress: Basic Information: Primary Email
    • surname: Basic Information: Last Name
    • givenname: Basic Information: First Name